diff options
author | Treehugger Robot <treehugger-gerrit@google.com> | 2022-06-03 05:53:00 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-06-03 05:53:00 +0000 |
commit | 1c60c225f81f8c9c6d14145fecf51b52b47ac19f (patch) | |
tree | 4cff84e68148755c41f840e3a1fc562ecd8dc768 | |
parent | a56ffcdeef67ca5ac0f7f5cf03231a1db5561f15 (diff) | |
parent | 5caafddc6ba268b60a3c3be97b39e073c342c295 (diff) | |
download | native-1c60c225f81f8c9c6d14145fecf51b52b47ac19f.tar.gz |
Merge "binder: Tweak overflow check for readability" am: 5caafddc6b
Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/2106895
Change-Id: I87e29b8a7c6ff89aec286509ad4868eb6429be36
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | libs/binder/RpcState.cpp | 17 |
1 files changed, 7 insertions, 10 deletions
diff --git a/libs/binder/RpcState.cpp b/libs/binder/RpcState.cpp index 4ef9cd859d..2a8e9c1d8b 100644 --- a/libs/binder/RpcState.cpp +++ b/libs/binder/RpcState.cpp @@ -493,14 +493,13 @@ status_t RpcState::transactAddress(const sp<RpcSession::RpcConnection>& connecti } } - LOG_ALWAYS_FATAL_IF(std::numeric_limits<int32_t>::max() - sizeof(RpcWireHeader) - - sizeof(RpcWireTransaction) < - data.dataSize(), + uint32_t bodySize; + LOG_ALWAYS_FATAL_IF(__builtin_add_overflow(sizeof(RpcWireTransaction), data.dataSize(), + &bodySize), "Too much data %zu", data.dataSize()); - RpcWireHeader command{ .command = RPC_COMMAND_TRANSACT, - .bodySize = static_cast<uint32_t>(sizeof(RpcWireTransaction) + data.dataSize()), + .bodySize = bodySize, }; RpcWireTransaction transaction{ @@ -940,14 +939,12 @@ processTransactInternalTailCall: replyStatus = flushExcessBinderRefs(session, addr, target); } - LOG_ALWAYS_FATAL_IF(std::numeric_limits<int32_t>::max() - sizeof(RpcWireHeader) - - sizeof(RpcWireReply) < - reply.dataSize(), + uint32_t bodySize; + LOG_ALWAYS_FATAL_IF(__builtin_add_overflow(sizeof(RpcWireReply), reply.dataSize(), &bodySize), "Too much data for reply %zu", reply.dataSize()); - RpcWireHeader cmdReply{ .command = RPC_COMMAND_REPLY, - .bodySize = static_cast<uint32_t>(sizeof(RpcWireReply) + reply.dataSize()), + .bodySize = bodySize, }; RpcWireReply rpcReply{ .status = replyStatus, |